The Age Appropriate Design Code or Children’s Code came into force on the 2 September 2020. It has a twelve-month transition period which means organisations need to conform by 2 September 2021. The Code is a statutory code of practice under the Data Protection Act 2018.
Data protection law recognises that the personal data of children should be given extra care. Children are treated differently in the real world with age restrictions, film ratings, and car seats. They should also be treated differently in the digital world. The Children’s Code seeks to do this by providing a baseline of protection to protect children within the digital world instead of just from it. The Code has put the law relating to children’s personal data into fifteen standards.
The fifteen standards are as follows:
- Best interests of the child: When you design and develop an online service which is likely to be accessed by children, you should place the best interests of the child as primary consideration.
- Data protection impact assessments (DPIA): You should conduct a DPIA to consider and alleviate risks to the rights and freedoms of children that are likely to access the service from data processing. Developments needs, capacities, and ages should be considered.
- Age appropriate application: You should take a risk-based approach to recognise the individual age of users and you must effectively apply the standards of this code to child users. You could either establish the age of the users with certainty to apply this code to children or you could apply the standards of this code to all your users.
- Transparency: The privacy information, terms, policies, and community standards you provide must be concise, prominent, and in clear language appropriate to the age of the child. You should provide additional bite-sized explanations about how you use personal data at the point the use starts.
- Detrimental use of data: You must not use children’s personal data in a manner that has been shown to be detrimental to children’s wellbeing, or that go against industry codes of practice, regulatory provisions, or Government advice
- Policies and community standards: You must uphold your own published terms, policies, and community standards. This can include, privacy policies, behaviour rules, age restrictions and content policies.
- Default settings: Settings must be ‘high privacy’ by default unless you can show a compelling reason for a different default setting, whilst considering the best interests of the child.
- Data minimisation: You should only collect and retain the minimum amount of personal data you need to provide the parts of your service that a child is actively and knowingly engaged with. Children should be given separate choices over which parts they wish to activate.
- Data sharing: You must not disclose children’s data unless you can show a compelling reason to do so, whilst considering the best interests of the child.
- Geolocation: Geolocation services should be switched off by default unless you can show a compelling reason for geolocation to be switched on by default, whilst considering the best interests of the child. You should provide an obvious sign for children when location tracking is on. Any option that makes a child’s location visible to other users must default back to ‘off’ at the end of each session.
- Parental controls: If parental controls are provided, the child must be given age appropriate information about it. If your online services allow parents or carers to monitor their child’s online activity or track their location, you should provide an obvious sign to the child when they are being monitored.
- Profiling: Any profiling options must be switched off by default unless you can show a compelling reason for profiling to be on by default, whilst considering the best interests of the child. You should only allow profiling if you have appropriate measures in place to protect the child from any harmful effects which includes, being sent material that is detrimental to the child’s health or wellbeing.
- Nudge techniques: You must not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
- Connected toys and devices: If you provide a connected toy or device you must include effective tools which enable compliance with this code.
- Online tools: You must provide prominent and accessible tools to help children implement their data protection rights and be able to report concerns.